Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, October 9, 2018 7:34 PM
Windows 10 Pro
8Gb / 500Gb
TPM is recognized.
* If the computer is stolen we do not want the hard drive accessed. I understand they may know the boot time password which make the encryption useless. But if stolen, they wouldn't have the user name / password to log in. But in case they can hack that, a boot time password is preferred.
Installing BitLocker since TrueCrypt went EOL (or end of existence).
I thought BitLocker would ask for a boot time password. Reading some of the BL documentation and tutorials, some of the docs state it should ask for a boot time password. This installation doesn't (actually 2nd time I've done it).
Darryl
All replies (2)
Wednesday, October 10, 2018 8:01 AM
Hi,
A boot time password is authentication information that is sometimes required to log into a computer's BIOS before the machine will boot up. It's different from BitLocker encryption. BitLocker is volume-based encryption. It won't ask for a boot time password.
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by:
•Encrypting volumes on your computer. For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
•Ensuring the integrity of early boot components and boot configuration data. On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification standards for a highly secure Windows 10 device.
More information, you can refer to the following link:
BitLocker Countermeasures
/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures
https://security.stackexchange.com/questions/73331/can-a-physical-attacker-compromise-a-windows-machine-with-uefi-secure-boot-and
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Hope these could be helpful.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, October 12, 2018 4:13 PM
Bitlocker can be setup to require preboot authentication if that is what you want. See https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/